|
Posted by Monty Solomon on June 12, 2005, 3:00 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Robert Lemos, SecurityFocus
Phones, PCs and mobile devices that use the wireless Bluetooth
standard for short-range communications are open to eavesdropping
attacks if their users do not set long passwords, researchers said
this week.
The two-step attack can cause two devices to reestablish the link
between them, a process known as "pairing," and then use the data
exchanged during pairing to guess the password that secures the
connection in well under a second. A successful attack could allow an
attacker to eavesdrop and potentially issue commands to the other
device, said Avishai Wool, assistant professor of electrical
engineering at Tel Aviv University in Israel and a co-author of the
paper.
"At a minimum, it allows the attacker to eavesdrop on all the
subsequent encrypted communication between two Bluetooth devices,"
Wool said in an e-mail interview. "If the attacker can also fake his
own Bluetooth device address, he can potentially pretend to be one
device and pair with the other, which may allow him to issue
commands."
The attacker could conceivable mimic any other supported Bluetooth
device, such as a headset for a phone, he said. If the one device
could extract personal data from or issue commands to the other, then
so could the attacker.
The paper, which was presented at the MobiSys 2005 conference on
Monday, caused a stir among security experts because the technique is
the first general purpose attack to threaten Bluetooth devices. Past
attacks only worked against devices that improperly implemented
Bluetooth or under special circumstances.
The Bluetooth Special Interest Group (SIG), the organization that sets
the specifications for the standard, placed the latest attack in the
latter category, because devices that have longer, alphanumeric PINs
are effectively protected against the technique.
http://www.securityfocus.com/news/11202
http://www.eng.tau.ac.il/~yash/Bluetooth/
|
| Similar Threads | Posted | | Weak Caller ID signal [telecom] | June 26, 2008, 9:42 pm |
| Police Say China Internet Fraud Laws Are Weak | April 12, 2006, 11:34 pm |
| Googling for ATM Master Passwords | September 22, 2006, 3:01 pm |
| Keystrokes Reveal Passwords to Researchers | September 20, 2005, 5:42 pm |
| Cyberthieves Silently Copy Your Passwords as You Type | February 28, 2006, 10:49 pm |
| Utah Proposes Requiring Wireless Passwords | April 18, 2007, 6:53 pm |
| Re: Utah Proposes Requiring Wireless Passwords | April 20, 2007, 10:00 am |
| Flaw in Mail-List Software Leaks Passwords | February 22, 2005, 4:27 pm |
| Bluetooth Device on 2 PCs | June 29, 2005, 1:57 pm |
| Alternatives to GPS: WiFi, Bluetooth, UWB | May 15, 2006, 5:45 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map